The cybersecurity world has always had its "script kiddies," unskilled hackers who use other people's automated tools for easy, low-hanging fruit attacks. This week they got a belated Christmas gift: A tool called AutoSploit sews together existing hacking tools to offer even the most clueless hacker a way to automatically locate and compromise vulnerable internet-connected devices. The open-source program, released by a researcher who goes by the pseudonym Vector, combines the search engine for internet-connected devices known as Shodan with the hacking framework Metasploit to allow nearly point-and-click penetrations. Type in keywords to locate certain devices or targets, and AutoSploit will both list available targets and allow hackers to launch a menu of pre-loaded hacking techniques against them.

Though the program does little more than what Shodan and Metasploit could already accomplish in a more manual combination, the move to make internet-wide exploitation one degree more seamless has sparked controversy. "There is no legitimate reason to put mass exploitation of public systems within the reach of script kiddies," wrote well-known security consultant Richard Bejtlich on Twitter. "Just because you can do something doesn't make it wise to do so. This will end in tears."

When a company or government adds a security appliance to its racks, it generally hopes that it will make them more secure—not create a new, gaping hole into their network. So it was particularly disquieting this week when Cisco announced a fix for a serious hackable flaw in its popular Adaptive Security Appliance, which offers security services like a firewall and VPN. The now-patched bug rated a 10 out of 10 on the Common Vulnerability Scoring System, allowing hackers a fully remote foothold in those appliances from which they could run any code they pleased. The flaw was found by security researcher Cedric Halbronn, who will present it this weekend at the security conference REcon in Brussels. Though Cisco wrote in its advisory that it hadn't found any evidence of the flaw being exploited in the wild, it could have allowed hackers an entry point into victims' networks, or at the very least disabled a security protection on which they depended.

Biometric authentication systems often promise to improve on the shortcomings of traditional, password-based authentication. In Lenovo's case, however, it turns out the fingerprint reader built into the company's laptops were themselves protected with nothing but a hardcoded password. Anyone with access to one of those laptops—dozens of its laptop models running everything from Windows 7 to Windows 8.1—who knows that password could use it to bypass the fingerprint scanner and access the data it stored, which include credentials for web logins. Lenovo this week released an update for that faulty fingerprint scheme, which also used dangerously weak encryption.

Most reports of broad cyberespionage campaigns targeting activists and journalists bring to mind highly-resourced state-sponsored hackers. But a new report from civil society-focused security group Citizen Lab shows that a relatively sophisticated hacking operation against Tibetan activists cost just over $1,000 in IT expenses. The hackers' 172 fake domains, which served as the landing page of phishing emails, cost just $878 in domain registration fees and $190 in server charges over 19 months. The group acknowledges that the staffing costs of such a spying campaign, which they didn't attempt to estimate, remain the biggest expense. But the overall affordability of hacking has nonetheless been driven in part, Citizen Lab says, by the free HTTPS certificate authority Let's Encrypt, and more generally by lingering simplicity of phishing as a hacking technique; victims, especially in developing countries, still often don't use two-factor authentication that would prevent easy breaches.

Related Video

Security

Phishing Scams Aren't Just for Gullible Grandparents Anymore

Phishing scams are getting more and more sophisticated, to the point where they’re fooling even security experts. Here's how to avoid them.